Bug#712289: openssh-server: invalid user logging skipped if username is capitalized version of a valid name

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#712289: openssh-server: invalid user logging skipped if username is capitalized version of a valid name
From: Leif Ryge <leif@synthesize.us>
Date: Fri, 14 Jun 2013 17:51:54 -0700
Message-id: <[🔎] 20130615005154.4014.91840.reportbug@basket>
Reply-to: Leif Ryge <leif@synthesize.us>, 712289@bugs.debian.org

Package: openssh-server
Version: 1:5.5p1-6+squeeze3
Severity: normal

It appears that when authenticating using a public key the case of the
username is important, but when evaluating whether to log failed login
attempts a case-insenstive comparison is done.

Backstory: I was attempting to help a new user login to an SSH server.
Their login was failing, but nothing was appearing in /var/log/auth.log.
I determined experimentally that OpenSSH logs "invalid user $name from
$ip" when an invalid name is given, and logs nothing when an incorrect
key is offered for a valid name. This led me to believe the user was not
using the correct key. In fact, they were using the correct key. We
eventually determined that they were capitalizing the first character of
their username (on their SSH client on an iphone) while on the server
their username was all-lowercase. This caused authentication to fail,
but did not cause OpenSSH to log that an invalid name was used.

Reply to:

Prev by Date: Bug#712094: marked as done (/usr/bin/ssh-copy-id: 168: [: 1: unexpected operator ; getting this error if server is offline)
Next by Date: Processed: tagging 712289
Previous by thread: Bug#712094: marked as done (/usr/bin/ssh-copy-id: 168: [: 1: unexpected operator ; getting this error if server is offline)
Next by thread: Processed: tagging 712289
Index(es):
- Date
- Thread